Monthly Compliance Training: Protecting Your Clients’ Privacy April 2017 HMIAT004093

Objectives By the end of this course, you will be able to: Know what is considered a Privacy Breach Know the top 3 Privacy Breaches committed by agents Know what information is required for insurance company records Know what information an agent should and should not retain for their records Know how to properly destroy documents containing your client’s private and secured information

An Agent’s Trust Trust is: An essential tool to building a good business Letting clients know the pros and cons when making insurance choices Helping clients choose the right coverage fitting their needs and budget Being transparent in presenting all of the facts Protecting the client’s personal health information and identity from privacy breaches

PHI PII Key Terminology Protected Health Information Personal Identifying Information

Be Aware What is considered a privacy breach? Examples include: Replying to an unsecure email containing PHI Using a device for HealthMarkets business without encryption Verbally communicating PHI in a public setting Where is your client’s personal information stored? Carrier portal CRM State/Federal exchange If you store client information, electronic or paper, you need to know what to keep and what to destroy properly

Protecting Private Information Agents must secure PHI and PII, including: Encrypting any device used to conduct HealthMarkets business Agents must report any theft containing clients’ private information to local police within 24 hours Agents must report a privacy breach within 24 hours to Agency Standards including the following details to AgencyComplianceQuestions@HealthMarketsHQ.com: Who? What? When? How? Where?

Information Retention

Insurance Company vs. Agent Needs Insurance Company Needs Agent Needs Bank Routing & Account Numbers Name(s) of Insured Direct Deposit Address Salary/Income Phone Number Social Security Number E-mail Credit/Debit Card & Security Code Type of Coverage Reason for Product Choice(s) Previous Coverage and Carrier(s) Reason for Product Choice(s) Examples: Jane Smith wanted a plan including her doctors in their network so she chose the carrier’s PPO plan instead of the HMO plan Jim Jones wanted an accident plan, because he has 3 children under the age of 10 that play sports Sally Brown wanted health insurance with a low deductible, because she was hospitalized and used her savings to help pay the high deductible she had last year

Protecting Financial Information Numerous complaints have been received where a client alleges bank or credit card information was provided to the agent when they applied for health insurance, and the agent used the information to submit an application for supplemental coverage the client did not need or request The allegations were substantiated, because: An email or other communication was provided by the client demonstrating the agent requested the financial information The agent conducted the sales presentation over the phone and entered the financial information on the application instead of the client If the proper process is followed, the agent would not have the client’s financial information stored to use at a later time to enroll the customer in additional coverage without their knowledge

Protecting Financial Information Agents have told Agency Standards financial information is requested to help the client set up premium payments Client premium payments should be done during the application process while the client is present, and agents should not retain the secured financial information Certain insurance companies may require Social Security Numbers during the application process; however, agents should not keep the information in their records

Why can’t an agent retain payment information? Security laws exist with specific requirements for any individual who obtains/retains certain financial information When financial information is required for premium payment, the insurance company’s expectation is the client is present, the agent is entering it in as the client recites it, and the agent is not retaining the information The practice of retaining a client’s financial information when not required puts the agent’s intent in question, especially when the client alleges their identify was compromised

The Top 3 Reasons for Privacy Breaches Unsecured email responses Unencrypted devices Publicized personal identifying information

#1: Unsecured Email Responses Agents who reply to an email containing private information, even if unsolicited, create a privacy breach resending information through unsecure means To let a client know their communication was received, create a new email to ensure privacy is not breached

Scenario 1: Unsecured Email Responses A client emails the following information to their agent they believe is needed to enroll them in health insurance: Name Date of birth Social security number Height Weight The agent replies back to the client: “I received your information below; and if I need anything else, I will contact you.” Did the agent breach private information even though the information was unsolicited from the client?

#2: Unencrypted Devices Agents fail to take required measures to secure and protect personal health and identifiable information stored on computers, laptops, tablets and smart phones with appropriate encryption software Keeping equipment such as a laptop or smart phone on your person is a very good safeguard, but lost and stolen merchandise is the reason for the encryption requirement and why agents must attest annually they have taken the appropriate security measures

Scenario 2: Unencrypted Devices An agent, who always keeps their unencrypted laptop on their person, was robbed. During the robbery, the agent’s laptop was stolen. The laptop contained client information, such as: Name Date of birth Address Policy numbers for various insurance companies Claim details Did the agent breach private information, even though being robbed was outside of their control?

#3: Publicized Personal Identifying Information Customers take their personal and private information seriously. Complaints have been received from customers alleging an agent verbally communicated their private information in a public setting Face to Face sales presentations are always preferred. Therefore, agents should be aware of their surroundings and ensure unauthorized individuals cannot overhear protected information

Scenario 3: Publicized Personal Identifying Information An agent meets their client at a small local café with limited space where their chair bumps into the next table when repositioning The agent summarizes the presentation and verbally states: “The plan is for you and your husband.” “It’s a silver plan with a moderate deductible and copay.” “The plan has benefits for chemical dependency.” “You qualify for a federal subsidy.” Did the agent breach private or protected information?

How to Properly Destroy PII or PHI Protecting your client’s private information includes properly destroying it when it is not required Don’t throw private information in the trash where others could possibly see or retrieve Don’t store it on electronic devices that could be resold, lost, or stolen How to protect clients when destroying PHI and PII: Delete electronic copies located in your email, folders on your laptop/tablet, or pictures on your smartphone. Hard copies should be shredded or placed in a secured and locked bin that is removed by an authorized individual/company

Report It It is your responsibility as an agent to report unethical or non-compliant activity Contact: Email: Agency.Standards@HealthMarketsHQ.com Report it anonymously: Phone: (toll free) 877-778-5463 Online: https://secure.reportit.net (user name: HMI password: HMI)